The main lesson is to stop treating untrusted input like HTML whenever you only need to show text.
// Vulnerable
div.innerHTML = userInput;// Safer
div.textContent = userInput;That small change keeps the browser from parsing attacker input as real markup.